3 Answers
3

You should be fine if you setup ip6tables the same way as you setup the iptables. Just make sure with netstat -l that you don't accidentally have services listen on the IPv6 interface that don't listen on IPv4 and therefore forgot to include in the ip6tables setup.

If you are worried about open ports, I would recommend that you run nmap with the regular options for IPv4 and compare that to an IPv6 nmap scan and make sure that they both give you your desired result.

If you don't have a way to get a public address, IPv6 will be restricted to link local addresses. These are restricted to the local link, and should be slightly more secure than the private IPv4 ranges which can be routed within sites. The IPv6 equivalent is a site local address, but these are deprecated.

Firewall IPv6 with ip6tables, just like you would IPv4 with iptables. The Shorewall firewall tool can be configured to lock down IPv6, or its Shorewall6 version can be used to build an IPv6 firewall. IPv6 requires several more types than IPv4 to work correctly. shorewall and shorewall6 enables the minimal types for both when used with the example configurations. You have the option to enable additional types.

IPv6 does automatic configuration, so it is important to restrict incoming access if there is a risk that you may get a public address assigned. On the plus side, if the privacy extensions are enabled, your address will change every few hours, so your IPv6 address will only be vulnerable for a few hours before it replaced with a different address. People with access to your traffic would still be able to identify your address attempt to scan for open ports. The IPv6 address range on any network is huge, and it is not very practical to scan a network for hosts.

ipv6 can use SLAAC auto configuration. There is also the possibility of using DHCPv6 or static addresses. When using SLAAC and the privacy extensions you will still have an address based on the MAC address generated, it's just that this will not be used for outgoing connections, if people were to attempt and incoming connection to this address it would exist.
–
Richard SaltsAug 16 '13 at 6:21

You need to be aware of the RH0 security issue. While it's no longer necessary to use explicit firewall rules to mitigate this, as Linux kernels since about 2.6.20.9 (in 2007!) always ignore this traffic, you may run into older systems where you need to apply the firewall rules.

If you have certain traffic limited to specific hosts or subnets, you will have to write corresponding IPv6 firewall rules corresponding to the IPv6 addresses of those hosts or subnets.

You should not block ICMP on IPv6; since it is much more heavily reliant on ICMP, connections are likely to fail in mysterious ways if you do any sort of ICMP blocking.